Closed
Bug 632024
Opened 14 years ago
Closed 13 years ago
Reflect.parse(Array(1000).join("x + y - ") + "z") crashes with stack overflow
Categories
(Core :: JavaScript Engine, defect)
Tracking
()
RESOLVED
FIXED
People
(Reporter: jorendorff, Assigned: dherman)
Details
(Whiteboard: reflect-parse fixed-in-tracemonkey)
Attachments
(1 file, 1 obsolete file)
|
4.89 KB,
patch
|
jorendorff
:
review+
|
Details | Diff | Splinter Review |
js_EmitTree can't compile that expression either, but it manage to avoid crashing by calling JS_CHECK_RECURSION.
|
Assignee | |
Comment 1•14 years ago
|
||
Couldn't reproduce on my MacOS machine at first, but fattening up my ASTSerializer::expression() frames with a 16KB array got it to reproduce, using
Reflect.parse(Array(195).join("x + y - ") + "z")
Dave
|
|
Assignee | |
Comment 2•14 years ago
|
||
I need to audit this a little more carefully, but I think the main recursive entry points that need a JS_CHECK_RECURSION guard are:
ASTSerializer::expression()
ASTSerializer::statement()
ASTSerializer::pattern()
and possibly
ASTSerializer::declaration()
That last one may not be necessary. I'll post a patch soon.
Thanks,
Dave
|
|
Assignee | |
Comment 3•14 years ago
|
||
Jason, if you have a chance could you test this patch on your Windows machine? I will also run it through tryserver.
Thanks,
Dave
Assignee: general → dherman
|
|
Assignee | |
Comment 4•14 years ago
|
||
BTW, the patch adds JS_CHECK_RECURSION for the following entry points:
ASTSerializer::expression()
ASTSerializer::statement()
ASTSerializer::pattern()
ASTSerializer::xml()
It doesn't for ASTSerializer::declaration() or ASTSerializer::function() since those can only enter cycles by passing through ASTSerializer::statement() or ASTSerializer::expression().
Dave
|
|
Assignee | |
Updated•14 years ago
|
Whiteboard: reflect-parse
|
|
Assignee | |
Comment 5•13 years ago
|
||
Patch had gone stale; updated.
Jason: can you test this for me on your Windows machine?
Thanks,
Dave
Attachment #511445 -
Attachment is obsolete: true
Attachment #537796 -
Flags: feedback?(jorendorff)
|
Reporter | |
Comment 6•13 years ago
|
||
Comment on attachment 537796 [details] [diff] [review]
refreshed stale patch
Review of attachment 537796 [details] [diff] [review]:
-----------------------------------------------------------------
Attachment #537796 -
Flags: feedback?(jorendorff) → review+
|
|
Reporter | |
Comment 7•13 years ago
|
||
It works on my machine.
js> Reflect.parse(Array(1000).join("x + y - ") + "z")
typein:1: InternalError: too much recursion
|
|
Assignee | |
Comment 8•13 years ago
|
||
Whiteboard: reflect-parse → reflect-parse fixed-in-tracemonkey
|
||
Comment 9•13 years ago
|
||
cdleary-bot mozilla-central merge info:
http://hg.mozilla.org/mozilla-central/rev/0cc25c98d38e
|
|
||
Updated•13 years ago
|
Status: NEW → RESOLVED
Closed: 13 years ago
Resolution: --- → FIXED
You need to log in
before you can comment on or make changes to this bug.
Description
•